Overview

overview

8

Static

static

3

2024-09-07...ye.exe

windows7-x64

8

2024-09-07...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe

  • Size

    180KB

  • MD5

    355e874600855f9bf304b72ccdd34240

  • SHA1

    3527e1ed4562dfddcc62eabd6162e5ac16ca7409

  • SHA256

    4ff4b137e5699132c4e1dc0dbf4e5a438384d0dcf5274a8bbaa2fef294e56b72

  • SHA512

    81f383ffc191c50d51824ff549f394304719868d1c483eeb63fb2bffa0331ea33f63d363fca014b26c57ed295834cce43d8b03efee605b79dffa70327770e873

  • SSDEEP

    3072:jEGh0oilfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGgl5eKcAEc

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\{7E276D32-A514-4155-8876-08BD965285C1}.exe
      C:\Windows\{7E276D32-A514-4155-8876-08BD965285C1}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\{0C29E692-E036-4090-8016-5D80C5FB998E}.exe
        C:\Windows\{0C29E692-E036-4090-8016-5D80C5FB998E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\{6E03D7A9-89F8-45cb-A4AA-7A74E7F67236}.exe
          C:\Windows\{6E03D7A9-89F8-45cb-A4AA-7A74E7F67236}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Windows\{8B939051-7521-45ea-981B-4A66E4C987AB}.exe
            C:\Windows\{8B939051-7521-45ea-981B-4A66E4C987AB}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2968
            • C:\Windows\{9511F70C-6553-4306-8253-DF062C00A94B}.exe
              C:\Windows\{9511F70C-6553-4306-8253-DF062C00A94B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1876
              • C:\Windows\{72A32022-0B4B-4c2b-8F73-F0717791C59D}.exe
                C:\Windows\{72A32022-0B4B-4c2b-8F73-F0717791C59D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2720
                • C:\Windows\{140E6455-DC27-434e-9451-3D9A7A791050}.exe
                  C:\Windows\{140E6455-DC27-434e-9451-3D9A7A791050}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2560
                  • C:\Windows\{33AE6A4C-9801-4646-B76C-F4ABB0D21E27}.exe
                    C:\Windows\{33AE6A4C-9801-4646-B76C-F4ABB0D21E27}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1144
                    • C:\Windows\{3A88B4FA-8920-4cb8-99E0-1AB6A12D496F}.exe
                      C:\Windows\{3A88B4FA-8920-4cb8-99E0-1AB6A12D496F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1716
                      • C:\Windows\{691A8079-7D12-4d80-8297-37CB28EDCE8B}.exe
                        C:\Windows\{691A8079-7D12-4d80-8297-37CB28EDCE8B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2996
                        • C:\Windows\{A7541893-7F3F-4ff1-AFDE-238F7A3F64B4}.exe
                          C:\Windows\{A7541893-7F3F-4ff1-AFDE-238F7A3F64B4}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2268
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{691A8~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1596
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A88B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2256
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{33AE6~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2992
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{140E6~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2460
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{72A32~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1060
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9511F~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1680
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8B939~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2260
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{6E03D~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1660
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0C29E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2512
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E276~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2176
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0C29E692-E036-4090-8016-5D80C5FB998E}.exe
    Filesize

    180KB

    MD5

    47748315281c4a03d7f23d458fc944b9

    SHA1

    fee7f9336ec6344ae7429b901bec8412123955dd

    SHA256

    2430363ad32cfacbabd2d3e7259cc96384b30842205139d96a70bb4ed5229abd

    SHA512

    b339c16a702eb24810d9dae77d8e95da5c97fe0f754103eeeda6a9bfef5ba1e81a0995f81afd7f58fb08207990ec73e6589277c8fc14cc353f497fb65d69a310

    Download Submit

  • C:\Windows\{140E6455-DC27-434e-9451-3D9A7A791050}.exe
    Filesize

    180KB

    MD5

    3c5aaee9a402a951a4d645cce0a63c8c

    SHA1

    8fbfc72edfa86da39f3628fa0401081c62f73b35

    SHA256

    0984285778af60314c739fc962b062b724db9b6198edde611645fa0d0f4691a0

    SHA512

    decd1994bb77b1166c031d433d17544b13f6e2e9a4499993a9c3de42562c00afd4ea91b328a171ac89e51ba2b4b71c454d5707acf8dbefeedaf7d1b4d8af3f1f

    Download Submit

  • C:\Windows\{33AE6A4C-9801-4646-B76C-F4ABB0D21E27}.exe
    Filesize

    180KB

    MD5

    a896f09fdfdf60c67ae7cd2b06bcf478

    SHA1

    bad922ec10d74f111771b0889dc99ec6deaf8080

    SHA256

    dae8e73ad85b9db4ca2d24f7e3d3206a5e3122480971e13fb3e1db371823aec0

    SHA512

    36137dea3ea8ac54d083de91d6aafdcdb953d0fc5a0ac1a497878471eaef2a38e84644168175325663aabc8280653a8d94ee9cd2c93c2d83f3fd7153e826d2e6

    Download Submit

  • C:\Windows\{3A88B4FA-8920-4cb8-99E0-1AB6A12D496F}.exe
    Filesize

    180KB

    MD5

    c7442d3a1f8dd457eaf58503b7c5b604

    SHA1

    15592ec58bb0ae8c0c40505ce47658f6d3cd195d

    SHA256

    200c8fe219b3f27ccee9e56f63c0b20f51d3e97abcc25777fb9949ce03f56f77

    SHA512

    2cec2cbe8c076226f97c61e620f984f478bdbcf00255a2e57bd76107a1ea17c6431016471ae89bebff27ad0b415e92e0158a79a94094724e1258c44fd66df163

    Download Submit

  • C:\Windows\{691A8079-7D12-4d80-8297-37CB28EDCE8B}.exe
    Filesize

    180KB

    MD5

    7b198dd41752ff3369e6d5d0162c3f3a

    SHA1

    8db7ce8249112955f43301ffe3ade6718661859c

    SHA256

    9a6176a1510714c74dfe61affda20c58b9c2ed5b96d5996dec2803f2a7f4f1e9

    SHA512

    c7bd5412397797ac2dfba70ac8c6caf95b236161ccbe0485ed03daf081aa6220d41fb59de2a6d028101973901a3518bcaef240e9a9f262ff97d76669301f2766

    Download Submit

  • C:\Windows\{6E03D7A9-89F8-45cb-A4AA-7A74E7F67236}.exe
    Filesize

    180KB

    MD5

    25748cfa2e0941d9f4de5616745ed746

    SHA1

    2d953c33f583bda9f321f0077f8b5484aa57939e

    SHA256

    d126c684420362fa4d5c593f8ed2164079c7e0743a23202970731740d9318973

    SHA512

    d539049cf1cf970c26aa6c278e4a5459eb8dc98071bd6085f9d6065f01a8c4e7243ca1589f342ee4cb2b08180e5ee3fb511ce554ff1ee9fc7c24355a47f1f746

    Download Submit

  • C:\Windows\{72A32022-0B4B-4c2b-8F73-F0717791C59D}.exe
    Filesize

    180KB

    MD5

    4e694e55aabf3f8e9986483b2931d839

    SHA1

    9df8efbb7b65d3df290807b73a5a135609733f9a

    SHA256

    76d8b2691c771a7c0f3935b2b5bce0d7a61ba759d5410a6c9132bfc3928d1f1a

    SHA512

    42f981a1105fae00e12741a260a3a2e417a8e58d01b573e7ac10a50f7d56940d8822493dd9b383078bf6330aee3e7ca019dfdcd9b894cc450d191538a52fa8e1

    Download Submit

  • C:\Windows\{7E276D32-A514-4155-8876-08BD965285C1}.exe
    Filesize

    180KB

    MD5

    96d94eb4b937442894c5c8fe1b8d1f56

    SHA1

    bfef69ce67645b9aa3a9dad116546e3e960cd385

    SHA256

    871ae987d9f608f3bf18e94293caba3539ea2235e1e4604bc2ae7b3db9552f72

    SHA512

    35961b1cd41fc7aa5596bf86ac244b1e04ade7f5fe21fd64e86e60d2b148f37947858aebb17ddb473270e63e4917695634de202a954a9418d31349573575d194

    Download Submit

  • C:\Windows\{8B939051-7521-45ea-981B-4A66E4C987AB}.exe
    Filesize

    180KB

    MD5

    c17efdeb92ec320b454ec437b3cb4791

    SHA1

    e001d6e8f08fdbd4589093f5e598130c1450aade

    SHA256

    e13251df81cd42cdecf941b009f8cef134ca5f664a5a6d8de87b1741d176ccce

    SHA512

    c67f46211b33fd682d3f06eb676c111d1d985b323cec952b5512d477e802b9c6886e9cb9c52a4fef29a313123cd3f5e9fdbf563990243d46a7a086dd2f415347

    Download Submit

  • C:\Windows\{9511F70C-6553-4306-8253-DF062C00A94B}.exe
    Filesize

    180KB

    MD5

    5890c99318819d7f4741f077bc7b8a33

    SHA1

    2f022c02eec8989c25bc47869dc9cdfe481a975b

    SHA256

    cdfba6fb748751e1b3a293781cb333b7f452776c8b483272b2995059092c7797

    SHA512

    5c99361d13ce9ca7308acf98fc59258cb7444fa0921f3754c17352aa45bbbf55e799badeb515545da2d1ba835687235715558180fed2d3d56af71e3dea8afc65

    Download Submit

  • C:\Windows\{A7541893-7F3F-4ff1-AFDE-238F7A3F64B4}.exe
    Filesize

    180KB

    MD5

    4a3fd334680be883c19da06f60cb67c8

    SHA1

    24b9bf6f56bce414665ab429720eafaeddca7324

    SHA256

    a0a6689c4694d8d8dae2c66c67cf6aabdf1f5bd7d33f29e37afdafd373a0ef56

    SHA512

    ac33dc48b23e6f4ad65310d4a93ce1baf028b1919d1a36a4fa36e316140a9a66f4462dca21812da4b9d915e6327e8da95910f9477054e5dcdb0491fd7fc59c4e

    Download Submit